Are the writing of an events records to audit.log atomic should a log rotation occur

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Burn Alting <burn@swtf.dyndns.org>
To: linux-audit@redhat.com
Subject: Are the writing of an events records to audit.log atomic should a log rotation occur
Date: Sat, 02 Feb 2013 10:51:29 +1100	[thread overview]
Message-ID: <1359762689.3612.11.camel@swtf> (raw)

[-- Attachment #1.1: Type: text/plain, Size: 621 bytes --]

All,

When rotating log files due a USR1 signal being sent, or for any other
reason, does auditd finish writing all the
records that belong to the current event being written before starting
the new log file?

That is, will I find records belonging to a single event in two log
files?

If this is the case, would there be problems if auditd was changed to
wait and 'flush' all an event's records before
rotating? One assumes auditd-event.c would need to be modified to be
more event aware. Perhaps make use of AUDIT_EOE or
other means of identifying the end of an event or a single event.

Thanks in advance

Burn Alting

[-- Attachment #1.2: Type: text/html, Size: 901 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

next             reply	other threads:[~2013-02-01 23:51 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-01 23:51 Burn Alting [this message]
2013-02-04 19:32 ` Are the writing of an events records to audit.log atomic should a log rotation occur Steve Grubb
2013-02-04 20:51   ` Burn Alting

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1359762689.3612.11.camel@swtf \
    --to=burn@swtf.dyndns.org \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox